Monday, October 16, 2017

Legend says that there was a boy who had always wanted to live in a house full of plants and flowers. He bought and bought until he had the house full of pots. It was beautiful; it looked like a tropical garden. But in a few days the leaves became dry and whitered, and every week the plants died. Worried, he went down to the flower shop and asked the clerk who asked, "How many times do you water them? And he replied, "Water? No one had told me to water them."

In cybersecurity world all businesses want a lush garden, with fertile trees and abundant flowers. But many forget that there´re basic needs that require broader strategies than had hitherto. In the interview of the week we talked about David Mahon, Executive Director of Strategy at CenturyLink.

His professional life is a clear example of how cybersecurity is being incorporated into the company and its strategies. A few years ago he worked in law enforcement at the FBI, leading cybercrime programs, White-collar crime and organized crime. It´s remarkable how from his position in the cybersecurity sector in the FBI, now he´s come to develop the complete strategy for a telecommunications company like CenturyLink.

In his current position he is part of a company with more than 40,000 employees and over 20,000 suppliers operating in 35 countries. The scale is brutal and therefore, due to its size and depth, its attack surface is larger. In his own words: "We see things differently than other companies see them. We are big and we get attacks every day. "

When Mohan asked about the fear of the unstoppable arrival of AI to companies and how this new technology can affect the types of attacks, Mahon makes it clear: "A lot of people ask me the exact same thing and I answer them the attacks will be exactly the same as the ones we received this year. The reason is that companies are not solving the current problem. "According to him companies are divided into three categories: Reactive, proactive and predictive. Mahon says: "The vast majority of companies are reactive. They should start to be more proactive." According to their categorization normally the companies that take the step of proactive to predictive are usually organizations of the sector of the security, financial services, security or even of the government.

About ransomware's recent attack WannaCry Mahon says, "Wannacry was not something that could happen to a company with a mature patch management program. If you have a patch management team which is doing its job properly, they should have repaired everything when it started. The vulnerability started in March, the patch to solve the problem was launched in early May and the attack occurred in the middle of that month. "

As companies move towards a higher level of digitization, cybersecurity increases its importance. Companies have customer data cores that have been collected over the years. The risk, according to Mahon, comes when someone from the business strategy team wants to gather all this data into a data lake as part of some kind of digital transformation initiative. A "data lake" makes it possible to link anonymous information with personal information. "Does this mean that the entire data lake needs to comply with PCI (credit card industry) standards or the GDPR legislature? And where are we going to get the necessary staff to do it? "From their point of view, the evolution of companies towards a more digitized world makes them stand out against a reality: the need for a cybersecurity strategy with a qualified staff to implement it. This is achieved by aligning the cybersecurity strategy with the overall business strategy and leaving it to deal with an adjoining department that performs specific tasks.

For Mahon the board is beginning to be aware of the need for cybersecurity. And he reflects it with personal experience: "In the first days of cybersecurity, when the insurance team was going to present a report to the brokers and insurers they asked me to make them a slide. Now they want me in the meetings explaining for two hours how our security works. "

When talking about large companies the first thing that comes to mind is great economic benefits, but to this day, in the information age, many times the data are more important than financial goods. All this is something that cybercriminals are very aware of, and that is why, as a company, the protection of information should not be in second place. David Mahon shows that this change is occurring and that companies no longer only plant but are also realizing the importance of constant irrigation in terms of cybersecurity.